![[2602.19539] Can a Teenager Fool an AI? Evaluating Low-Cost Cosmetic Attacks on Age Estimation Systems](https://arxiv.org/static/browse/0.3.4/images/arxiv-logo-fb.png){kind=logo}
[2602.19539] Can a Teenager Fool an AI? Evaluating Low-Cost Cosmetic Attacks on Age Estimation Systems
Summary
This paper evaluates the effectiveness of low-cost cosmetic modifications in deceiving AI age estimation systems, revealing significant vulnerabilities in current models.
Why It Matters
As age estimation systems become critical for online content regulation, understanding their weaknesses is essential. This study highlights how easily accessible cosmetic changes can manipulate these systems, raising concerns about their reliability and the potential for misuse in age verification processes.
Key Takeaways
- Simple cosmetic changes can significantly alter AI age predictions.
- The study introduces the Attack Conversion Rate (ACR) as a new metric for evaluating model robustness.
- Vision-language models show lower ACR compared to specialized models, indicating varied vulnerabilities.
- Combining multiple cosmetic modifications can increase the effectiveness of deceiving age estimators.
- The findings call for improved adversarial robustness evaluations in age verification systems.
Computer Science > Computer Vision and Pattern Recognition arXiv:2602.19539 (cs) [Submitted on 23 Feb 2026] Title:Can a Teenager Fool an AI? Evaluating Low-Cost Cosmetic Attacks on Age Estimation Systems Authors:Xingyu Shen, Tommy Duong, Xiaodong An, Zengqi Zhao, Zebang Hu, Haoyu Hu, Ziyou Wang, Finn Guo, Simiao Ren View a PDF of the paper titled Can a Teenager Fool an AI? Evaluating Low-Cost Cosmetic Attacks on Age Estimation Systems, by Xingyu Shen and 8 other authors View PDF HTML (experimental) Abstract:Age estimation systems are increasingly deployed as gatekeepers for age-restricted online content, yet their robustness to cosmetic modifications has not been systematically evaluated. We investigate whether simple, household-accessible cosmetic changes, including beards, grey hair, makeup, and simulated wrinkles, can cause AI age estimators to classify minors as adults. To study this threat at scale without ethical concerns, we simulate these physical attacks on 329 facial images of individuals aged 10 to 21 using a VLM image editor (Gemini 2.5 Flash Image). We then evaluate eight models from our prior benchmark: five specialized architectures (MiVOLO, Custom-Best, Herosan, MiViaLab, DEX) and three vision-language models (Gemini 3 Flash, Gemini 2.5 Flash, GPT-5-Nano). We introduce the Attack Conversion Rate (ACR), defined as the fraction of images predicted as minor at baseline that flip to adult after attack, a population-agnostic metric that does not depend on the ra...